Bitlocker Aktivieren Windows 11
Celena Holtzberg
I had to type each fedora update windows recovery key when booted to windows, but that might be just my hardware and Nvidia stuff and eventually it just lost boot option to fedora ending running WSL or VM setup and second laptop just fedora bare metal
from within windows use the disk manager to shrink the windows partition and allow space for the fedora install. This is especially critical since you are using bitlocker. The space freed up must remain unallocated.
boot the fedora installation media and do the install. Do NOT create an additional esp partition but allow fedora to automatically perform the partitioning and install. It is best to allow both OSes to share the existing esp partition.
(experienced users may define their own partitions but normally fedora does it quite well with the automatic install)
I do not use bitlocker so have no experience with the stated need to use the uefi boot menu to boot windows. Yes, grub is the default boot loader in fedora and it is installed automatically. When dual booting the grub menu should show each time you boot, which normally allows the user to select the kernel or OS to boot.
This depends upon your hardware and what drivers you use. If you do not install software that requires locally compiled kernel modules then secure boot may remain enabled. I think windows 11 probably uses secure boot by default (and may even require it). You may also sign the locally compiled modules which will allow them to load and also allow keeping secure boot enabled.
If you have a GPU such as nvidia and use the nvidia drivers or use virtualbox to run VMs, both have locally compiled kernel modules and require that either you disable secure boot to use unsigned modules, or create a local signing key and enroll it into the bios so the modules are signed when compiled and continue to use secure boot.
I use secure boot, and have installed nvidia drivers as well as virtualbox from the rpmfusion repo. There is a package named akmods that manages compiling and signing these modules for me.
Once the package akmods is installed there is a readme file /usr/share/doc/akmods/README.secureboot containing the instructions on how to create and enroll the key so modules may be automatically signed and will load with secure boot enabled.
This may be a result of using bitlocker. Is it possible to disable bitlocker without a full reinstall?
If not then it should be possible to copy off the data you desire to keep, then do a new install of windows without bitlocker and start over with the fedora install.
It has been many years since I worked with windows at that level. His info reminded me of what I used to do when windows was my main OS and had forgotten by now. Admin tasks done 15 or more years back tend to be forgotten.
Have only booted windows once in the last 6 months and that was only for update purposes. Since windows does the auto updates without asking for permission I did not want it updating when I happened to be travelling and on a slow or metered connection.
If you really do not need windows it seems that you might consider installing fedora on the drive, then use libvirt and virt-manager to create a VM of about 50 GB or so in size and install windows 10 into that VM so it would be available if needed. I guess that it might be possible to use win 11 in that manner but I have not tried that yet. Win 11 requires secure boot and TPM. libvirt does provide secure boot, but I have not tested the TPM capabilities.
you might consider installing fedora on the drive, then use libvirt and virt-manager to create a VM of about 50 GB or so in size and install windows 10 into that VM so it would be available if needed. I guess that it might be possible to use win 11 in that manner but I have not tried that yet. Win 11 requires secure boot and TPM. libvirt does provide secure boot, but I have not tested the TPM capabilities.
I runned virt manager on fedora on testing and installed windows 11 with secure boot and TPM without virtIO setups and it works there is just some settings need to set to enable secure boot and TPM on vurt manager pretty easy actually and I might even do it again just for fun
2019-10-01: with the 2019 September update KB4516045 BitLocker uses software instead of hardware encryption by default. Likely reason: the security of software encryption can be controlled by Microsoft. Hardware encryption in the drive may be buggy.
Doing encryption in hardware on the disk drive instead of in software by the CPU should be more effective. That translates into longer battery life and higher performance. AnandTech has some numbers that illustrate these points.
What Microsoft does not list in their requirements is that older versions of the Intel Rapid Storage Technology Driver prevent hardware encryption. There is a 12-page thread in the Lenovo forums mainly about this problem. Version 13.2 of the RST driver fixes the issue, so make sure you have at least that version installed.
The following instructions worked for me. I am using a Samsung SSD 850 Pro as data drive, so the UEFI requirements do not apply (although I do have the BIOS mode set to UEFI). The computer is a Lenovo W540 laptop.
The BitLocker UI in Control Panel does not tell you whether hardware encryption is used, but the command line tool manage-bde.exe does when invoked with the parameter status. You can see that hardware encryption is enabled for D: (Samsung SSD 850 Pro) but not for C: (Samsung SSD 840 Pro without support for hardware encryption):
I have tried many, many ways of replicate this post in my Samsung SSD 850 EVO (no PRO) without success. My laptop is an HP without TPM support, and every try I do, leads to software encryption. It is very stressing not to be able to perform the hardware encryption.
Great article. A good think to note: On my T440P I used to install the latest and greatest rst driver 14.5.0.1081 however after 4 hours of troubleshooting I realized that somehow FDE will not work with this version and will fallback to software (leaving the M$ one works). Not sure what would happen if I add 14.5 after encrypting ran out of patience.
Update: At least on windows 10, installing rst drives will fallback to software encryption, encrypting and then updating the driver for ahci will also break encryption, very difficult to recover via psid revert.
Maybe a dumb question: If i do this with a brand new Evo 850, by hooking it up to my current Windows and perform the steps above. Can i then turnoff the PC, disconnect all the other Harddrives (only leaving the encrypted Evo 850 connected) and install Windows 10 with a clean install?
Has anyone figured out how to restore a system image backup to a hardware encrypting SSD (eDrive)? The problem I am experiencing is that I can successfully restore the system image to the SSD but hardware encryption is no longer enableable like it was before the backup and restore.
What I learned is that restoring a Microsoft system image backup from the M500 breaks the hardware encryption capability but otherwise works normally. I also tried cloning the M500 to the MX300 using Paragon Hard Disk Manager but that broke the hardware encryption capability as well. And lastly, I tried imaging and then restoring the M500 to the MX300 using Paragon HDM but got the same results: Windows works fine but the hardware encryption is not re-enableable.
I wish that some Microsoft engineers working in the Bitlocker department would address this shortcoming by either explaining why this behaviour exists (maybe they think it is necessary for security reasons) or treating it as a bug and working on fixing it.
Storage type must be ACHI
The computer must always boot natively from UEFI.
The computer must have the Compatibility Support Module (CSM) disabled in UEFI.
The computer must be UEFI 2.3.1 based and have the EFI_STORAGE_SECURITY_COMMAND_PROTOCOL defined. (This protocol is used to allow programs running in the EFI boot services environment to send security protocol commands to the drive).
From a windows install that meets the above criteria
set state to ready to enable via Samsung Magician
Make a secure erase USB (for dos)
Reboot pc, change boot mode to bios boot (for the secure erase USB)
boot into secure erase, erase
Reboot pc, change bios boot settings to EFI again (do not let the pc start booting from the drive or you might start the process from beginning)
boot back to windows disk and check via Samsung magician or install windows to your secure erased disk
This is incorrect. For Hardware Encryption, the TPM is absolutely required. You cannot have a hardware bitlocker accelerated drive without a TPM enabled and CSM disabled. You must have the drive set to hardware accelerated mode (active). Also, you cannot secure erase a Samsung drive set to hardware accelerated active mode. This too is incorrect. You must secure erase the drive before setting the drive to hardware accelerated mode.
You need to pull the drive and put it into a different Win1x Pro machine as a fixed drive. Use the Samsung software to secure erase the drive. Reboot into Win 1x Pro and run Magician 7.x. Enable hardware acceleration. Remove drive and put back into the XPS computer. Install the OS. Edit the local group policy to force hardware acceleration. Enable bitlocker. Save your recovery keys!! You will need them if you update the bios.
This article explains how to install a Samba v4 Active Directory domain controller in a Docker container. It's part of a mini-series about running Samba Active Directory and file server service on a home server.
This article describes the steps necessary to upgrade PostgreSQL to a new major version in a Docker environment. There are many articles on the subject, but I couldn't find any that were complete, correct, and concise. So I wrote my own.
In my previous guide, we have seen how to enable BitLocker on Windows 11 operating system drive. By default, on a BitLocker activated operating system drive, you are not asked for any PIN at startup. But in case if you want to increase the security of your encrypted drive, you can enable BitLocker PIN in Windows 11 at startup.
d3342ee215